Audit-Ready: Microsoft 365 Security Audit
Enterprise checklist for 2026 — identity & access, email security, data protection, endpoint security, compliance, audit logs, Secure Score, and remediation prioritization.
Microsoft 365 Security Audit Enterprise Checklist 2026 — enterprise reference guide from EPC Group, built from 29 years of Microsoft consulting engagements at Fortune 500 scale. Covers architecture, governance, compliance, pricing benchmarks, and implementation timelines for the Microsoft ecosystem.
Key Facts
- Built from EPC Group enterprise consulting engagements at Fortune 500 scale.
- Compliance-native guidance for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.
- Includes pricing benchmarks, timelines, and decision-framework matrices where applicable.
- Authored by EPC Group senior architects with 10+ years Microsoft enterprise experience.
- Microsoft Solutions Partner with experience across core current designations.
- Free consultation to apply this guide to your specific environment.
How to Perform a Microsoft 365 Security Audit
Quick Answer: A Microsoft 365 security audit reviews six key areas:
- Identity & access management
- Email security
- Data protection
- Endpoint security
- Compliance configuration
- Audit log analysis
Start with your Microsoft Secure Score (security.microsoft.com). The average enterprise scores between 35% and 50%. EPC Group targets scores of 75% or higher for regulated industries.
The most effective actions typically include:
- Regularly reviewing security settings
- Implementing multi-factor authentication
- Training employees on security best practices
- Enforcing MFA for all users
- Blocking legacy authentication
- Configuring DLP policies for sensitive data
- Restricting external sharing
A complete audit takes 2-3 weeks and results in a prioritized remediation roadmap.
Every Microsoft 365 tenant is a potential target. With over 400 million paid seats worldwide, M365 is the most-attacked enterprise platform on Earth. Attackers understand that a single compromised account, particularly one without MFA, can provide access to:
- Confidential data
- Corporate resources
- Other user accounts
- Sensitive data
- Company resources
- Other user accounts
- SharePoint
- Teams
- OneDrive data
This access can affect the entire organization.
Many organizations have not performed a formal security audit of their Microsoft 365 environment. They frequently depend on default settings and assume that MFA is always enforced. This assumption is often incorrect.
Additionally, organizations may not realize that their audit logs expire after 90 days. This expiration prevents them from investigating incidents that happen more than three months later.
EPC Group has audited Microsoft 365 environments for Fortune 500 organizations across healthcare, financial services, and government. This checklist is the same methodology our security consultants use — adapted for IT teams who want to conduct their own assessment or prepare for a professional engagement.
Why Regular Security Audits Matter
Microsoft 365 environments can drift from secure baselines as time goes on. This occurs due to several factors:
- New users being added
- Accumulation of Conditional Access exclusions
- Integration of applications
- Changes to settings without proper documentation
Without regular audits, security gaps can build up unnoticed.
60%
of enterprise M365 tenants have at least one admin account without MFA
45%
have more Global Admins than recommended (2-4 maximum)
55%
have no DLP policies protecting sensitive data types
40%
still allow legacy authentication protocols that bypass MFA
Pre-Audit Preparation
Before starting the audit, gather the following information and access. Incomplete preparation is the number one cause of delayed or incomplete security audits.
Pre-Audit Checklist
Identity & Access Review
Priority: CriticalEmail Security Review | EPC Group
Priority: CriticalData Protection Review
Priority: HighEndpoint Security Review
Priority: HighCompliance Review
Priority: HighAudit Log Analysis
Priority: MediumSecure Score Assessment
Microsoft Secure Score provides a quantified security posture measurement. It should be both your starting point and your progress tracker throughout the remediation process.
0-30%
Critical Risk
Basic security controls missing. MFA likely not enforced, legacy auth probably enabled, minimal DLP. Immediate remediation required.
30-60%
Moderate Risk
Some controls in place but significant gaps. Common at organizations that deployed M365 without security planning. Most enterprises land here.
60-80%
Good Posture
Strong security fundamentals. Fine-tuning needed in specific areas. EPC Group target for regulated industry clients is 75%+.
Action Plan: Start by exporting your Secure Score recommendations. Sort them by "Score impact," with the highest scores first. Then, categorize each action based on implementation effort:
- Quick Wins: High impact, low effort. Complete these within 1 week.
- Planned: Address these within 30 days.
- Major Projects: Finish these within 90 days.
EPC Group provides this prioritized roadmap as the main deliverable for every security audit engagement.
Remediation Prioritization Framework
Not all findings carry equal risk. Use this framework to prioritize remediation based on exploitability, business impact, and implementation effort.
P0 — Immediate (24-48 hours)
- MFA not enforced for admin accounts
- Legacy authentication enabled
- Unauthorized mail forwarding rules to external domains
- Global Admin accounts without PIM activation
- Active security incidents detected in audit logs
P1 — Urgent (1-2 weeks)
- MFA not enforced for all standard users
- No DLP policies for regulated data (PII, PHI)
- External sharing set to "Anyone" on sensitive SharePoint sites
- Audit log retention below regulatory requirements
- More than 4 Global Admin accounts active
P2 — Important (30 days)
- Conditional Access policies missing device compliance requirements
- Anti-phishing policies not configured beyond defaults
- Sensitivity labels not deployed or not adopted
- Guest access reviews not configured in Entra ID Governance
- Defender for Endpoint not enrolled on all managed devices
P3 — Planned (90 days)
- Advanced threat protection fine-tuning
- Communication compliance policies deployment
- Information barriers between restricted departments
- Full Compliance Manager assessment completion
- SIEM integration for real-time security monitoring
Audit Report Template
A well-structured audit report is the deliverable that drives action. Here is the report structure EPC Group uses for enterprise Microsoft 365 security audits.
1. Executive Summary
Overall risk rating (Critical/High/Medium/Low), current Secure Score, top 5 findings, recommended immediate actions. One page maximum — this is for CISOs and executives.
2. Scope & Methodology
Tenants audited, services in scope, date range, tools used (Defender portal, Entra admin center, PowerShell, third-party scanners), frameworks applied (CIS Microsoft 365 Benchmarks, NIST CSF).
3. Identity & Access Findings
MFA coverage percentage, Conditional Access policy analysis, privileged account inventory, guest access review, application permissions audit. Each finding includes: current state, recommended state, risk rating, evidence.
4. Email Security Findings
DMARC/DKIM/SPF status, anti-phishing policy effectiveness, mail flow rule review, mailbox forwarding audit. Include DMARC aggregate report analysis if available.
5. Data Protection Findings
DLP policy inventory and gap analysis, sensitivity label adoption metrics, external sharing configuration per site, Teams guest access review. Map findings to regulatory requirements.
6. Endpoint & Compliance Findings
Defender enrollment coverage, device compliance statistics, retention policy coverage, eDiscovery readiness assessment, audit log configuration and retention status.
7. Remediation Roadmap
Prioritized actions (P0 through P3) with estimated effort (hours), responsible team, and target completion date. Include dependencies — some fixes require others to be completed first.
8. Appendices
Raw Secure Score export, Conditional Access policy JSON exports, PowerShell audit scripts used, full user/role inventory, application permissions matrix.
Ongoing Monitoring: Beyond the Audit
A security audit is a point-in-time assessment. Without ongoing monitoring, your security posture degrades as changes accumulate. Here is the monitoring framework EPC Group implements post-audit.
Daily Automated Alerts
- Impossible travel sign-in detections
- New Global Admin role assignments
- Mass file download events (500+ files)
- New mail forwarding rules to external domains
- DLP policy violation spikes
Weekly Reviews
- Secure Score trend — is it improving or declining?
- New Conditional Access policy changes
- Guest user access review queue
- Failed sign-in attempt patterns
- Application consent grants
Monthly Reports
- MFA coverage percentage trend
- DLP incident summary and response metrics
- Endpoint compliance percentage
- Storage and sharing trend analysis
- Audit log retention verification
Quarterly Deep Dives
- Full Conditional Access policy review
- Application permissions re-certification
- External sharing configuration validation
- Retention policy effectiveness review
- Penetration test or phishing simulation
Related Resources
Microsoft 365 Consulting Services
Enterprise Microsoft 365 deployment, governance, security, and optimization from EPC Group.
Read moreMicrosoft 365 Security Hardening Checklist
Step-by-step security hardening guide for Microsoft 365 enterprise tenants.
Read moreZero Trust Security Guide
Implementing Zero Trust architecture across the Microsoft ecosystem for enterprise.
Read moreFrequently Asked Questions
How do you perform a Microsoft 365 security audit?
A Microsoft 365 security audit follows a structured methodology: 1) Pre-audit preparation — define scope, gather admin credentials, document current policies, 2) Identity & access review — MFA enforcement, Conditional Access policies, privileged accounts, guest access, 3) Email security — anti-phishing, anti-malware, DMARC/DKIM/SPF configuration, 4) Data protection — DLP policies, sensitivity labels, external sharing settings, 5) Endpoint security — Defender for Endpoint enrollment, compliance policies, 6) Compliance — retention policies, eDiscovery readiness, audit log configuration, 7) Secure Score assessment — review Microsoft Secure Score and prioritize recommendations, 8) Remediation report — prioritized findings with risk ratings and fix instructions. EPC Group enterprise audits typically take 2-3 weeks and cover all seven areas.
What is Microsoft Secure Score and how do I use it?
Microsoft Secure Score is a numerical measurement (0-100%) of your organization security posture across Microsoft 365 services. Found in the Microsoft 365 Defender portal (security.microsoft.com), it evaluates identity, data, device, app, and infrastructure security controls. Each recommendation includes points, implementation difficulty, and user impact. Common high-value actions: enabling MFA for all users (+10 points), configuring DLP policies (+5 points), blocking legacy authentication (+9 points). The average enterprise Secure Score is 35-50%. EPC Group targets 75%+ for regulated industry clients. Start by sorting recommendations by "Score impact" and addressing the highest-impact items first.
How often should you audit Microsoft 365 security?
EPC Group recommends: 1) Comprehensive audit — annually, covering all security domains from identity to compliance, 2) Targeted reviews — quarterly, focusing on highest-risk areas (identity, email, external sharing), 3) Continuous monitoring — daily automated alerts for critical security events (impossible travel, mass file downloads, admin role changes), 4) Change-triggered audits — after any major change (new Conditional Access policy, tenant merger, new application integration). For HIPAA, SOC 2, and FedRAMP compliance, annual comprehensive audits are typically mandatory with quarterly evidence collection.
What are the most common Microsoft 365 security gaps?
Based on EPC Group audits across 200+ enterprise tenants, the most common gaps are: 1) MFA not enforced for all users (found in 60% of audits — some users excluded from Conditional Access policies), 2) Legacy authentication not blocked (40% — allows password spray attacks that bypass MFA), 3) No DLP policies for sensitive data (55% — PII, PHI, and financial data shared without controls), 4) Excessive admin accounts (45% — more than 5 Global Admins, many without PIM), 5) External sharing unrestricted (50% — SharePoint and OneDrive allow anonymous sharing), 6) Audit logging not enabled or not retained (35% — default 90-day retention insufficient for compliance), 7) No anti-phishing policy beyond default (65% — default policies miss impersonation and BEC attacks).
How do I review Microsoft 365 audit logs?
Microsoft 365 audit logs are accessed through the Microsoft Purview compliance portal (compliance.microsoft.com) under "Audit." Key steps: 1) Verify audit logging is enabled (it is on by default but can be disabled), 2) Use the search function to query specific activities, date ranges, users, or IP addresses, 3) Common searches: failed sign-ins, admin role assignments, mailbox forwarding rules, file sharing events, DLP policy matches, 4) Export results to CSV for analysis or ingest into a SIEM via the Management Activity API, 5) Standard retention is 90 days (E3), 1 year (E5), or 10 years (with audit retention add-on). For compliance, EPC Group recommends E5 licensing with 10-year retention for regulated industries — 90-day retention is insufficient for most regulatory frameworks.
What should a Microsoft 365 security audit report include?
A complete audit report should include: 1) Executive summary — overall risk rating, Secure Score, top 5 critical findings, 2) Scope — what was audited (tenants, services, user populations), 3) Methodology — tools used, frameworks applied (CIS Benchmarks, NIST), 4) Findings by domain — identity, email, data protection, endpoint, compliance — each with severity (Critical/High/Medium/Low), evidence screenshots, and current vs recommended configuration, 5) Remediation roadmap — prioritized by risk with estimated effort and business impact, 6) Compliance mapping — how findings map to regulatory requirements (HIPAA, SOC 2, CMMC), 7) Appendices — raw Secure Score data, audit log samples, configuration exports. EPC Group audit reports typically run 40-60 pages with an executive summary on page 1.
How do I check if MFA is enforced for all Microsoft 365 users?
Multiple verification methods: 1) Microsoft Entra admin center → Users → Per-user MFA — shows MFA status (Enabled, Enforced, Disabled) for each user, 2) Conditional Access policies → Review all policies requiring MFA — check for exclusions (service accounts, break-glass accounts, or forgotten test accounts), 3) Sign-in logs → Filter for "MFA requirement: Not satisfied" to find users bypassing MFA, 4) PowerShell: Get-MgUser + Get-MgUserAuthenticationMethod to programmatically audit MFA registration, 5) Microsoft Secure Score → "Ensure multifactor authentication is enabled for all users" recommendation shows compliance percentage. EPC Group audits always verify MFA through all five methods because per-user MFA settings, Conditional Access policies, and security defaults can conflict — a user may appear MFA-enabled in one view but excluded in another.
What is the difference between a security audit and a penetration test for Microsoft 365?
A security audit reviews configuration, policies, and compliance against best practices (CIS Benchmarks, Microsoft recommendations). It answers: "Are our settings correct?" A penetration test actively attempts to exploit vulnerabilities — phishing simulation, password spraying, token theft, privilege escalation. It answers: "Can an attacker actually breach us?" Both are necessary: audits catch configuration drift and policy gaps; penetration tests validate whether those gaps are exploitable. EPC Group recommends annual audits with semi-annual penetration tests. The audit identifies what to fix; the penetration test proves why it matters to executives who need business justification for security investments.
Get a Professional Microsoft 365 Security Audit
EPC Group security audits address all six domains: identity, email, data protection, endpoints, compliance, and audit logs.
We provide a prioritized remediation roadmap that aligns with your regulatory needs and business risk tolerance.
Microsoft 365 Security Audit: Enterprise Checklist 2026
A Microsoft 365 security audit examines several key areas. These include identity and access controls, email security, data protection policies, endpoint configuration, compliance settings, and audit log coverage.
According to over 200 enterprise tenant audits, EPC Group identified three common critical issues:
- Gaps in Multi-Factor Authentication (MFA)
- Use of legacy authentication
- Missing Data Loss Prevention (DLP) policies
These issues were found in 40–65% of the tenants audited.
- EPC Group has completed security audits for 200+ enterprise M365 tenants.
- MFA not enforced for all users is found in 60% of audits — the most common critical gap.
- No anti-phishing policy beyond the default is found in 65% of audits.
- External sharing unrestricted in SharePoint and OneDrive is found in 50% of audits.
- Microsoft Secure Score is the starting point for every audit — but it does not surface all critical gaps.
What a Microsoft 365 Security Audit Covers
A Microsoft 365 security audit reviews your tenant configuration across six domains. Each domain has specific controls to check and remediation priorities to address.
- Identity & Access: MFA enforcement, Conditional Access policies, admin account hygiene, Privileged Identity Management.
- Email Security: Anti-phishing, anti-spam, safe attachments, safe links, and DKIM/DMARC/SPF configuration.
- Data Protection: Sensitivity labels, DLP policies, retention policies, and SharePoint external sharing settings.
- Endpoint Security: Intune compliance policies, Defender for Endpoint onboarding, device encryption status.
- Compliance: Audit log configuration, retention periods, eDiscovery readiness, and regulatory gap analysis.
- Audit Log Analysis: Review of recent sign-in logs, admin activity, mail flow anomalies, and data exfiltration indicators.
The Most Common Critical Findings
Based on EPC Group audits across 200+ enterprise tenants, these gaps appear most frequently.
- MFA not enforced for all users (60% of audits). Some users are excluded from Conditional Access policies — often legacy accounts, service accounts, or admin accounts without PIM. Every account, including service accounts, should have MFA or a Conditional Access policy applied.
- Legacy authentication not blocked (40% of audits). Legacy authentication protocols — SMTP, POP3, IMAP, MAPI — bypass MFA. Attackers use password spray attacks through these protocols. Block legacy authentication via Conditional Access before enabling MFA enforcement.
- No DLP policies for sensitive data (55% of audits). PII, PHI, and financial data is shared without detection or controls. Default M365 configuration has no DLP policies enabled. Even a basic set of policies covering email and SharePoint dramatically reduces data leakage risk.
- Excessive admin accounts (45% of audits). More than 5 Global Administrators are assigned — many without PIM (Privileged Identity Management). Best practice: no more than 2–4 Global Admins with PIM-activated JIT (just-in-time) access for all privileged operations.
- External sharing unrestricted (50% of audits). SharePoint and OneDrive allow anonymous sharing — anyone with the link can access files. Restrict external sharing to authenticated users only and block anonymous link creation for sensitive environments.
- Audit logging not enabled or not retained (35% of audits). Default 90-day audit retention is insufficient for most compliance requirements. Enable Unified Audit Logging and extend retention — 1 year minimum, 10 years for regulated industries using Audit Premium.
- No anti-phishing policy beyond the default (65% of audits). Default policies miss impersonation and business email compromise (BEC) attacks. Configure Defender for Office 365 anti-phishing policies with impersonation protection for key executives and domains.
Microsoft 365 Security Audit Checklist
Identity and Access Controls
- [ ] MFA enabled and enforced for all users via Conditional Access — no exceptions
- [ ] Legacy authentication blocked via Conditional Access policy
- [ ] Global Admin count: 2–4 accounts maximum
- [ ] Privileged Identity Management (PIM) enabled for all admin roles (E5 required)
- [ ] Conditional Access: compliant device required for sensitive workloads
- [ ] Sign-in risk policy enabled to block high-risk sign-ins automatically
- [ ] External guest access reviewed and scoped — no unrestricted B2B collaboration
Email Security
- [ ] Anti-phishing policy: impersonation protection for C-suite and key domains
- [ ] Safe Attachments: all attachments detonated before delivery
- [ ] Safe Links: URL rewriting and click-time detonation enabled
- [ ] DKIM signing enabled for all accepted domains
- [ ] DMARC policy set to at least "p=quarantine" — reject preferred
- [ ] SPF record published and current for all sending domains
- [ ] Mail flow rules reviewed — no unexpected bypass rules
Data Protection
- [ ] Sensitivity labels deployed with at least 4-tier taxonomy
- [ ] Auto-labeling policies configured for sensitive information types
- [ ] DLP policies active for Exchange, SharePoint, Teams, and OneDrive
- [ ] SharePoint external sharing: set to "Only people in your organization" or "Existing guests" only
- [ ] OneDrive external sharing: "Existing guests" only — no anonymous links
- [ ] Information barriers configured for regulated business functions
Endpoint Security
- [ ] Intune compliance policies defined and enforced via Conditional Access
- [ ] Defender for Endpoint onboarded for all Windows devices
- [ ] BitLocker encryption enforced on all managed Windows devices
- [ ] Mobile device management: iOS and Android MAM policies deployed
- [ ] Endpoint DLP enabled for managed Windows devices (requires Defender for Endpoint)
Compliance and Audit
- [ ] Unified Audit Logging enabled for the entire tenant
- [ ] Audit retention extended beyond 90-day default
- [ ] Retention policies configured for all primary workloads
- [ ] Microsoft Secure Score reviewed and prioritized remediation list exists
- [ ] eDiscovery cases and legal holds configured for any active legal matters
- [ ] Insider Risk Management enabled for high-risk user populations (E5 required)
What a Complete Audit Report Contains
A professional M365 security audit report includes these sections:
- Executive Summary: Overall risk rating, current Secure Score, and top 5 critical findings in plain language for leadership.
- Scope: Which tenants, services, and user populations were audited.
- Methodology: Tools used (Microsoft Secure Score, Defender for Cloud, CIS Benchmarks, NIST 800-53).
- Findings by Domain: Identity, email, data protection, endpoint, and compliance — each with severity (Critical/High/Medium/Low), evidence screenshots, and current vs. recommended configuration.
- Remediation Roadmap: Findings prioritized by risk, with estimated effort, responsible team, and business impact for each item.
- Compliance Mapping: How findings map to applicable regulatory frameworks — HIPAA, SOC 2, NIST, ISO 27001.
EPC Group's M365 Security Audit Practice
EPC Group has conducted security audits for over 200 enterprise M365 tenants. Our audit process includes checks in all six security domains.
- We align our checks with CIS Benchmarks for Microsoft 365.
- We also follow NIST 800-53 controls.
Errin O'Connor, the founder of EPC Group, has been a Microsoft MVP since 2002–2003. He received this honor for the first time in 2003. Errin is also the author of four bestsellers published by Microsoft Press.
EPC Group has key Microsoft Solutions Partner designations, which include:
- Security: This designation is directly relevant to M365 security auditing.
Frequently Asked Questions
What is included in a Microsoft 365 security audit?
An M365 security audit examines several key areas, including:
- Identity and access controls
- Email security configuration
- Data protection policies
- Endpoint compliance
- Audit log settings
- Compliance posture
EPC Group's audits result in a risk-rated findings report, a remediation roadmap, and compliance mapping. These deliverables are ideal for presentation to executive leadership and external auditors.
How long does an M365 security audit take?
EPC Group's standard M365 security audit lasts 2–3 weeks. It includes data collection from the Microsoft 365 admin center, Defender portal, and Purview compliance portal.
Additionally, the audit involves:
- Report preparation
- Findings presentation
Larger or more complex tenants — multiple workloads, hybrid configurations, regulated industries — may require an additional week.
What is Microsoft Secure Score and is it sufficient for a security audit?
Microsoft Secure Score measures your tenant's security configuration against Microsoft's recommended practices. It is a useful starting point — but it does not surface all critical risks.
Secure Score misses risks from legacy authentication bypass, misconfigured mail flow rules, excessive admin accounts, and overshared SharePoint content. A full audit goes beyond Secure Score.
Do we need E5 to fix all audit findings?
No. Many critical findings — MFA enforcement, legacy auth blocking, basic DLP, anti-phishing policies, DKIM/DMARC — are fixable with E3 licenses.
E5 is necessary for several key features, including:
- Privileged Identity Management
- Insider Risk Management
- eDiscovery Premium
- Audit Premium (10-year retention)
EPC Group determines which findings need E5 and which can be addressed with E3.
How often should we run an M365 security audit?
Conduct a full security audit every year. Perform a focused configuration review every three months. During this review, check for:
- Admin account changes
- New DLP policy gaps
- Secure Score regressions
Many organizations include M365 security monitoring in their managed services agreement. This ensures that configuration drift is identified monthly, not just during the annual audit.
Can EPC Group remediate findings after the audit?
Yes, EPC Group provides standalone audits and audit-plus-remediation services. The remediation service addresses the audit findings and includes:
- Configuration changes
- Policy deployments
- Testing
Additionally, we offer managed M365 services that feature quarterly security reviews. These reviews help prevent findings from recurring.
Get Your Microsoft 365 Security Audit
EPC Group's M365 security audits help enterprise organizations understand their risk levels. We provide a prioritized roadmap for remediation. These audits also include compliance mapping and are completed in 2–3 weeks.
With over 200 enterprise tenant audits conducted, we have identified the most common security gaps.